Win32.Yok

Although I've posted the message below on the Security and Vulnerability page, I'd like to post it here too because the 'false positive' finding that seems to be accepted, is certainly a topic for discussion.

Several ZA users have found Win32.Yok, and Win32.Yok.Supersearch, reported as spyware. Both are reported as being 'false positive' findings. However, each is based on a different registry key.

Win32.Yok.supersearch is based on the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories\{00021494-0000-0000-C000-000000000046}
and,
Win32.Yok is based on the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

My interest is with Win32.Yok, because that is what ZASS is reporting as being on my system.

Although Win32.Yok MAY be a false positive, the question is:

Why does the RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB} keep coming back when it is deleted?

ZASS does delete the key, and I've even deleted it using Regedit, but the registry key keeps coming back.

ZASS may identify the registry key incorrectly when it is found, but when deleted from the registry, shouldn't it stay deleted?

What is this key connected to, that makes it re-appear? Is it really connected to Internet Explorer? I never use IE so it's not a case of IE re-inserting it in the registry when the program runs.

I also use Spyware Doctor and while it doesn't find Win32.Yok as spyware, every time I deleted the offending key, Spyware Doctor popped up an alert saying it had 'immunized' another Active X object. What is the connection?

If this really is a false positive, it should be possible to authenticate where this key comes from to ensure it is legitimate.

Are there any 'Active X' experts out there? Does anyone have any thoughts/answers?

Re: Win32.Yok

I checked the C:\WINDOWS\Downloaded Program files and none of the four old files in my directory reference the Win32.Yok keys.

The list of Managed Add-ons for IE also provides no clues.

I am not familiar with ccleaner and I'm not keen on installing something new when I have a problem.

I noticed on security and vulnerability forum that that new (2 Sep) entries are showing up identifying the Win32.Yok as being present. Obviously the latest spyware identity download is picking it up - but it's just the registry key that is present.

I still think that finding out what is causing the registry key to re-appear will lead to a solution.

Re: Win32.Yok

Hi Folks,I've got exactly the same problem with ZASS 6.5.722.000 on Win2000Pro, and I'm using Spyware Doctor 4.0.0.2613.EVERY time I scan with ZA, up pops Win32.Yok - it doesn't matter whether I quarantine it or delete it, it's always there (even if I've not used IE).I've had the problem for about a week now, and VERY disappointed at the lack help on the ZA pop-up screen.Thanks for listening!

Re: Win32.Yok

I've pretty well beaten this to death on the Security and Vulnerability forum and readers should go there to read the whole story.

Here is a short version.

The spyware ZA is finding is actually just a registry key inserted by Spyware Doctor, and perhaps other spyware software, to disable (kill) a known piece of Active X malware know as estalive, eihelper, eiyhelper, etc, variously identified as a browser helper object, or adware. The CLSID that is causing this problem is: A2B7A0F0-B697-4A71-8D91-43443F57D7BB. A Google search lists 150+ references for this CLSID and, if you check, you will find that it is quite well known and distributed.

ZA is incorrectly identifying the inserted registry key as Win32.Yok, and when deleted, Spyware Doctor or perhaps some other spyware hunter just inserts the key again. It is not yet known what is causing SD to insert the registry key, but it does not appear to be the presence of any actual spyware.

This is probably an ongoing problem that will persist until ZA and PCTools get their act together. For the time being, ZA users should probably not put the Win32.Yok finding in the ZA exception list, as the CLSID represents real malware, but just delete Win32.Yok when it is found and not worry if it is found again on the next scan as long as only the registry key is found.

Re: Win32.Yok

Tony,Thank you for your research and efforts. I too have SpyWare Doctor and can confirm your findings. I also concur that the two companies could show a bit of empathy for their respective customers and resolve the issue - or at least acknowledge that it exists.Again,Thank you!Rick